Separating between groups of nodes within a communication network, where each group constitutes a separated network environment, is becoming a key element in the field of information security. Consider for example the network architecture illustrated in FIG. 1, which shows two Local Area Networks LAN1 and LAN2 (LAN—local area network) that are connected over an encrypted Virtual Private Network (VPN) tunnel, established by two access routers (R1 and R2). LAN1 and LAN2 can represent, for example, local area networks of the same organization, which are located at different locations on the globe. As can be seen in FIG. 1 routers R1 and R2 on either sides of the network are connected each to a number of nodes. The nodes in LAN1 and LAN2 are divided into departments, department A (e.g. engineering) and department B (e.g. accounting). The nodes which are assigned to department A in both LAN1 and LAN2 constitute a first network environment and the nodes which are assigned to department B in both LAN1 and LAN2 constitute a second network environment.
For various reasons it is often advantageous to maintain a clear separation between different departments in the same organization and establish separate network environments, which prevent unauthorized data transfer from one environment to the other. However, while data which is being transferred from one LAN to another can be encrypted, once the data enters the internal domain of the target LAN it is decrypted and becomes vulnerable to access by unauthorized environments.
Published references considered to be relevant as background to the presently disclosed subject matter are listed below. Acknowledgement of the references herein is not to be inferred as meaning that these are in any way relevant to the patentability of the presently disclosed subject matter.
IEEE Standard for Local and metropolitan area networks Virtual Bridged Local Area Networks: IEEE Std 802.1Q™-2005, IEEE Std 802.1Q-1998, IEEE Std 802.1u™-2001, IEEE Std 802.1v™-2001, and IEEE Std 802.1s™-2002.